As with any statistical report, the numbers in the Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2018 provide a dizzying variety of analytical options. However, given that the report, published last month, is subtitled ‘Preparations for the new Data Protection Act’ there are two sets of numbers which stand out.

The first relates to the fact that, when it comes to awareness, size does matter. Larger organisations are significantly more aware of General Data Protection Regulation (GDPR) and its UK counterpart the Data Protection Act (DPA). The second is that when asked about what steps had been taken to change procedures and policies, across the survey group as a whole, only 4 per cent had taken any practical steps to improve levels of compliance.

Addressing the first issue. It is perhaps not surprising that the larger the organisation, the greater the level of awareness. Of the 1,519 businesses surveyed, awareness of GDPR and the DPA was highest among large organisations (80 per cent) and lowest among micro businesses (31 per cent). Of the 569 charities surveyed, those managing over £5 million a year annual turnover had higher awareness levels (90 per cent) than those managing less than £10k (36 per cent).

As for the second issue of procedures and policies, this is where the numbers show the real picture. By the time the survey conducted by Ipsos MORI had drilled down to asking about what practical changes had been made by December 2017 to address compliance, of the original 1,519 businesses and 569 charities questioned, only 174 businesses and 70 charities were still in the survey. The rest had fallen by the wayside following questions on general awareness GDPR and the new DPA 2018.

The DPA 2018 is the UK’s solution to data protection and will replace the current UK DPA 1998. Whilst organisations will still have to comply with GDPR, one element of the DPA 2018 is the details of how GDPR will apply in the UK, the processing that does not fall within UK law and also the EU’s Law Enforcement Directive.

Of those who remained in the survey only 36 per cent had made changes to their policies or procedures. That means that of the original total number of businesses and charities questioned only 4 per cent had made any changes in response to the forthcoming legislation. The figures are even lower for the question regarding additional staff training around the DPA and GDPR.

Clearly there is a huge amount of work to be done to bring UK businesses and charities closer to compliance. The worrying fact is that time is not on our side. From 25th May 2018 GDPR will become law and the new DPA is due to be enacted at the same time, with significantly higher fines issued to those who do not comply. Those already adhering to the existing Data Protection Act will be some way toward compliance. With awareness levels so low, however, there are many businesses which require guidance as to what the GDPR and new DPA involves and what steps need to be taken.

SRM has developed a helpful Self-Assessment Questionnaire which maps out the areas which need to be addressed and provides a practical interpretation of what these mean to organisations. Whether a large corporate or a small charity, the questionnaire highlights the areas that need to be considered.

SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, not on selling products.

SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.